Bashware hacking technique puts 400 million Windows 10 PCs at risk

Some 400 million PC running Windows 10 around the world could be vulnerable to a fresh cyber attack technique called Bashware.

Discovered and dubbed by cyber security firm Check Point, Bashware exploits the built-in Linux shell in Windows to allow malware to bypass common antivirus and other security software.

And given the Linux shell, known as Windows Subsystem for Linux (WSL), makes up the core build of Windows 10, all machines running Microsoft’s operating system could be open to hack attacks that exploit the technique.

“Bashware is so alarming because it shows how easy it is to take advantage of the WSL mechanism to allow any malware to bypass security products,” said Check Point threat researchers Dvir Atias and Gal Elbaz. “We tested this technique on most of the leading anti-virus and security products on the market, successfully bypassing them all.”

WSL is usually used to make it easier for software developers to test code on Linux and Windows environments and it requires a developer to activate it before it can be used. The alarming thing about Bashware is it automates this process, essentially switching on WSL and enabling malware to exploit the attack technique.

Interestingly, the vulnerability is not down to any flaws or poor implementation of WSL but instead the Check Point researchers explained cyber security product vendors were simply not aware of the technique so have yet to protect against it.

“This may open a door for cyber criminals wishing to run their malicious code undetected, and allow them to use the features provided by WSL to hide from security products that have not yet integrated the proper detection mechanisms,” said the researchers.

“We believe that it is both vital and urgent for security vendors to support this new technology in order to prevent threats such as the ones demonstrated by Bashware.”

But there is a saving grace in that hackers first need to be in possession of a target computer’s admin privileges, though a determined cyber criminal has a whole host of techniques, from trojan malware to social engineering, to get such information, though doing so poses the risk of being detected by security software tuned to spot these hacking techniques.

Microsoft is reportedly helping security companies deal with defending against such techniques and told Motherboard that Bashware isn’t something to worry too much about.

“We reviewed and assessed this to be of low risk,” the Microsoft spokesperson said. “One would have to enable developer mode, then install the component, reboot, and install Windows Subsystem for Linux in order for this to be effective. Developer mode is not enabled by default.”

But if a hacker has the right privileges then they can activate developer mode by modifying a few registry keys and then wait or trick the victim into rebooting their PC.

According to Motherboard, Symantec’s security software is already tuned to detect WSL attacks. while cyber security firm Kaspersky is working on getting its software into shape to beat back Bashware.

Overall, it would appear that Bashware is a particularly powerful attack technique once brought to bear on Windows 10 machines, but security companies do seem to be in the process of shoring up PC defences to cope with the new cyber threat.